The answer to your question is quite simple, you must understand and study what is it you are trying to exploit.
Then read up on exploitation of what you are specifically trying to exploit to get some idea of how other people have done it then go from there.

If your planning on exploiting web application vulnerabilities for example then you need to have a good knowledge of PHP, ASP.NET (C#), SQL, Databasing, Javascript and web application technologies. If you think your going to be able to do some decent exploitation (any more than mediocre stuff) with out knowledge and understanding of what you are trying to do then forget it. There are plenty of papers on most of the publicly known types of vulnerabilities that you can learn from.

the best is always to begin with the simple and easier stuff. Vulns like XSS, SQL injections in websites that are not popular and the programmers doesnt put security as a priority are usually easier and more likely to contain vulns. you can use vulnerability scanners that automate the job for you, so you can understand what has been found, why the vuln exists and how you can exploit that.

Finding and exploiting vulnerabilities in Operating systems and softwares can be harder, but the impact is usually much greater. you need to understand how both the software and the Operating system where it is installed work, how their security is implemented, what you could do to bypass it and finally know the common types of vulnerabilities such as buffer overflows and perform research to try and find a vulnerability in the program. Within this kind of vuln, usually the program will freeze and eventually crash, and that could be a potential indicator that you found an exploitable vuln. After that you will have to overcome both operating system and software specific security measures to preotect against successfull exploitation of vulnerabilities. These protections usually blocks code execution so you can only crash the affected software upon exploiting a vuln, so that you would need to bypass them. Luckily people shared articles on how to defeat the protections. Just remember that public stuff usually gets known by Vendors and they eventually patch their system/softwares.

You should get yourself some vulnerable applications and a working exploit code (if the application has been patched, get the version that is still vulnerable) to see what happens, how it happens and what has been done to successfully exploit the vuln. that is a good start too

Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!

I have the first print of this book. It's very good but it does not cover webapp pentesting. Still a very good read on buffer overflows, ret2libc, formatstrings.. stuff like that. Good intro into encryption too.

Come to think of it I think I'll buy latest print, should be interesting enough.

"Ask the right question and you will receive the right answer. I'm just very sensitive about the right syntax"